From 5631d65a09fe2249d22fad0985c25dc776b41808 Mon Sep 17 00:00:00 2001
From: Naushir Patuck <naush@raspberrypi.com>
Date: Fri, 2 Sep 2022 08:35:35 +0100
Subject: [PATCH] media: bcm2835-unicam: Fix for possible dummy buffer
 overrun

The Unicam hardware has been observed to cause a buffer overrun when using the
dummy buffer as a circular buffer. The conditions that cause the overrun are not
fully known, but it seems to occur when the memory bus is heavily loaded.

To avoid the overrun, program the hardware with a buffer size of 0 when using
the dummy buffer. This will cause overrun into the allocated dummy buffer, but
avoid out of bounds writes.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
---
 drivers/media/platform/bcm2835/bcm2835-unicam.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/media/platform/bcm2835/bcm2835-unicam.c
+++ b/drivers/media/platform/bcm2835/bcm2835-unicam.c
@@ -126,8 +126,11 @@ MODULE_PARM_DESC(media_controller, "Use
 #define UNICAM_EMBEDDED_SIZE	16384
 
 /*
- * Size of the dummy buffer. Can be any size really, but the DMA
- * allocation works in units of page sizes.
+ * Size of the dummy buffer allocation.
+ *
+ * Due to a HW bug causing buffer overruns in circular buffer mode under certain
+ * (not yet fully known) conditions, the dummy buffer allocation is set to a
+ * a single page size, but the hardware gets programmed with a buffer size of 0.
  */
 #define DUMMY_BUF_SIZE		(PAGE_SIZE)
 
@@ -843,8 +846,7 @@ static void unicam_schedule_dummy_buffer
 	unicam_dbg(3, dev, "Scheduling dummy buffer for node %d\n",
 		   node->pad_id);
 
-	unicam_wr_dma_addr(dev, node->dummy_buf_dma_addr, DUMMY_BUF_SIZE,
-			   node->pad_id);
+	unicam_wr_dma_addr(dev, node->dummy_buf_dma_addr, 0, node->pad_id);
 	node->next_frm = NULL;
 }
 
@@ -2662,8 +2664,8 @@ static void unicam_stop_streaming(struct
 		 * This is only really needed if the embedded data pad is
 		 * disabled before the image pad.
 		 */
-		unicam_wr_dma_addr(dev, node->dummy_buf_dma_addr,
-				   DUMMY_BUF_SIZE, METADATA_PAD);
+		unicam_wr_dma_addr(dev, node->dummy_buf_dma_addr, 0,
+				   METADATA_PAD);
 	}
 
 	/* Clear all queued buffers for the node */
